TL;DR
Storing banking information securely is critical. Avoid storing it directly in your application code or databases if possible. Use a dedicated Payment Card Industry Data Security Standard (PCI DSS) compliant provider, tokenization, and strong encryption methods. If you must store data yourself, follow strict security best practices.
1. Understand the Risks
Storing banking details (account numbers, sort codes, card numbers, CVV codes) carries huge risks:
- Data Breaches: Hackers targeting sensitive financial data.
- Compliance Issues: Regulations like GDPR and PCI DSS impose strict rules.
- Reputational Damage: Loss of customer trust if a breach occurs.
The best approach is often to not store this information at all.
2. Best Option: Use a PCI DSS Compliant Provider
This is the most secure and recommended method. Providers like Stripe, PayPal, Braintree, and others handle sensitive data for you, taking on the compliance burden.
- Tokenization: They replace your customer’s banking details with a unique token. You store the token instead of the actual data.
- Secure APIs: You interact with the provider through secure APIs to process payments.
Example (Stripe):
// Example using Stripe's API to create a payment method
const stripe = require('stripe')('YOUR_STRIPE_SECRET_KEY');
async function createPaymentMethod(cardDetails) {
const paymentMethod = await stripe.paymentMethods.create({
type: 'card',
card: cardDetails,
});
return paymentMethod.id;
}
You would store paymentMethod.id, not the card details.
3. If You Must Store Data (Avoid if Possible)
If you absolutely must store banking information yourself (e.g., for recurring billing where a PCI DSS provider isn’t suitable), follow these steps:
3.1 Encryption
- Use Strong Encryption: Employ industry-standard encryption algorithms like AES-256.
- Key Management: Securely store and manage your encryption keys. Don’t hardcode them into your application! Use a Hardware Security Module (HSM) or a dedicated key management service.
- Encrypt at Rest & In Transit: Encrypt the data when it’s stored in your database and while it’s being transmitted between systems (using TLS/SSL).
Example (encrypting with Node.js using crypto module):
const crypto = require('crypto');
function encrypt(text, key) {
const cipher = crypto.createCipheriv('aes-256-cbc', key, 'initialization_vector');
let encryptedData = cipher.update(text);
encryptedData += cipher.final();
return encryptedData.toString('hex');
}
Important: This is a simplified example. Proper implementation requires secure key handling and initialization vector (IV) management.
3.2 Database Security
- Limit Access: Restrict database access to only essential personnel and applications.
- Regular Audits: Regularly audit your database for vulnerabilities and suspicious activity.
- Data Masking/Tokenization (Even Within Your System): Consider tokenizing the data even within your own system, reducing exposure.
3.3 CVV Storage – NEVER STORE IT
Never store Card Verification Value (CVV) codes! PCI DSS explicitly prohibits this. It’s a major security risk and can lead to severe penalties.
3.4 Secure Coding Practices
- Input Validation: Validate all input data to prevent injection attacks.
- Regular Security Scans: Perform regular vulnerability scans and penetration testing.
- Keep Software Updated: Patch your systems promptly to address security vulnerabilities.
4. Compliance
If you handle cardholder data, you must comply with PCI DSS requirements. This involves a comprehensive set of standards covering network security, data protection, vulnerability management, and access control.
- PCI DSS Website: https://www.pcisecuritystandards.org/